Exploiting User-land vulnerabilities to Get Rogue App Installed Remotely on iOS 11 presented at ReconMontreal2018 2018

by Liang Chen, Marco Grassi,

Summary : Apple has introduced several security enhancements to mitigate known attacks in iOS 11. Those enhancements include reducing attack surfaces from Apple sandbox, adding kernel protection mechanism, etc. As a result, chaining a series of vulnerabilities to defeat all iOS’s defense in depth became harder and harder. Furthermore, thanks to the enforced code signing requirement by Apple, a kernel exploit is usually needed to run unsigned applications on iOS system. And even on the fully compromised iOS system, in most cases the exploit can not persist upon a reboot.During Mobile Pwn2Own 2017, we (KeenLab) remotely pwned iOS 11 system twice - one by exploiting the browser, another by exploiting the WIFI - each only involved one click by the user. We broke Apple sandbox after achieving in-sandbox code execution, then install a rogue application and bypass the code signing requirement. The application installed can persist upon reboot. Surprisingly all the bugs we used in the whole chain are all from user-land.In this talk we will discuss the whole strategy to achieve this. We will disclose the details of the vulnerability we used to break sandbox (CVE-2017-7162), a double free vulnerability in IOKit framework. The bug needs to be exploited by the approach of racing on a separate thread, but by our advanced exploit techniques we got 100% reliable exploitation. We will also talk about our approach to install application and code signing bypass. We will do a demo to illustrate our techniques.